AlphaSOC Analytics Engine identifies emerging threats in near real-time
AlphaSOC announced its new AlphaSOC Analytics Engine (AE) solution, a differentiated cloud-native network traffic analysis (NTA) product that uniquely identifies compromised workloads across Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Threat actors bypass existing controls by using novel command and control (C2) infrastructure that is not recognized by legacy security products. Data can also be exfiltrated from victim cloud environments via DNS tunneling, ICMP tunneling, and anonymizing circuit protocols (e.g., Tor, I2P, Freenet) without detection. Now, security teams can rapidly deploy AlphaSOC AE within their cloud environments to process telemetry in near real-time and identify compromised workloads with confidence.
“With AlphaSOC AE we are moving the industry from reactive identification of known threats, such as a domain or IP address associated with a threat actor, towards proactive identification of threats, such as a compute instance beaconing to a newly registered domain which is unique to the customer environment and has suspicious properties,” said Chris McNab, CEO and co-founder, AlphaSOC.
“Leveraging machine learning, we uncover compromised systems without relying on outdated signatures or threat feeds that describe previous attack campaigns. Our confidence rating for compromised endpoints performing unauthorized exfiltration scores consistently above 90 percent, and the number of false negatives rate below 5 percent on an annualized basis.”
AlphaSOC AE performs deep processing of network flow and DNS query logs within cloud environments and escalates findings via cloud-native services – including Amazon Web Services EventBridge, Microsoft Azure Sentinel, and Google Cloud Platform Pub/Sub – to support threat hunting and security operations teams.
It is a next-generation NTA product that identifies emerging threats and solves the “patient zero” problem through prevalence scoring and active analysis, leveraging its patented processing stack to uncover emerging threats without relying on threat intelligence or stale indicator lists. Patient zero refers to the idea that the first victim of an attack has no idea they are compromised because their tools rely on threat intelligence of known attacks.
Correlation with threat intelligence, feature analysis, and time series analysis processing layers are standard in the industry. However, AlphaSOC AE uniquely uses three additional layers to actively uncover emerging threats in near real-time and highlight anomalies:
- Active fingerprinting – through an anonymizing proxy layer AlphaSOC actively fingerprints destinations to identify command and control infrastructure in real-time.
- Reputation scoring – leveraging third-party APIs (e.g., sandboxing engines and threat blocking providers) AlphaSOC AE gathers live reputation data to highlight suspicious low reputation destinations.
- Prevalence scoring – by measuring prevalence across customer environments, AlphaSOC AE uncovers traffic patterns to rare destinations to flag risky connections.
A challenge for security teams is that threat detection capabilities differ across native products (e.g., Amazon Web Services GuardDuty and Microsoft Defender for Cloud). AlphaSOC AE provides a unified threat detection stack that multi-cloud customers can use to achieve consistent threat coverage without gaps. This reduces time-to-fix and overall remediation efforts by more than 200 percent for most SecOps teams.
AlphaSOC AE also reduces false positives since the engine has unparalleled context through its six layers of processing, discarding benign items and providing high-fidelity / high-utility alerts to security teams. AlphaSOC AE reduces the number of false positives by 60 – 90 percent when compared to legacy IDS and NTA systems.
“Since AlphaSOC AE provides instant next-generation threat detection capabilities that do not exist within cloud vendor products – such as Amazon Web Services GuardDuty or Microsoft Defender for Cloud – partners can leverage our solution to consolidate threat detection and workload protection into a unified best-of-breed product suite and gain market share,” added McNab. “There are also time / cost savings as AlphaSOC AE can be run within a container and set up in minutes, versus legacy solutions that aren’t cloud-native by design.”
AlphaSOC AE is available for Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Pricing starts at $9,000 per year.